trouble with rules configuring

Hello!

First of all, english is not my native language, so I’am sorry for any mistakes. :wink:

I have some troubles with configuring my rules set, and I think this is the best place to ask for help.

I’ve installed Apache 2.2 and MySQL 5.5 at local machine for my own needs. Now I’am trying to isolate local servers from external network by Comodo Firewall 5.10. I’am newbie in everything about Comodo, I formerly used Agnitum Outpost Firewall product (great stuff btw ;D).

I would like to note absence of three useful features:

  • “reason” (of permission/prohibition) column in firewal log, where would defined exact applied rule;
  • global option “log all connections”;
  • disabling of rule without removal from rules list;
    This is serious disadvantage of Comodo Firewall. In Outpost this features allows to configure rules much easier and clear. Even for unexperienced users. Even without permanent RTFMing.

So now to the problem.

CF works in ‘Safe Mode’. Global rules are default. First I’ve made rule for httpd.exe. Forbid all incoming connections (protocol: IP, all addresses: any, log event). Simply to check does this rule work or not. Well, it doesn’t! I easily reached http://localhost index page by Opera. By the way, there is no rule for opera.exe in Application Rules section at all, why Opera can access local and global network??? Also, this event was not logged.

OK, I add new rule to httpd.exe: allow all outgoing TCP connections, with logging (to let it use MySQL database and CURL extention). Also I make rule for mysqld.exe: forbid and log all incoming connections (protocol: TCP, all addresses: any) - again, just to test how it works. So any attempt of Apache server to initiate outgoing TCP connection should be permitted, but any incoming connection to MySQL server shoud be forbidden. That is there should be two entries in log if apache tries to connect to mysql:

[tr]
[td]2012.04.25 05:33:01[/td]
[td]…\httpd.exe[/td]
[td]Permitted[/td]
[td]Outgoing[/td]
[td]TCP[/td]
[td]0.0.0.0[/td]
[td]4305[/td]
[td]127.0.0.1[/td]
[td]3306[/td]
[/tr]
[tr][td]2012.04.25 05:33:01[/td]
[td]…\mysqld.exe[/td]
[td]Forbidden[/td]
[td]Incoming[/td]
[td]TCP[/td]
[td] 0.0.0.0[/td]
[td]4305[/td]
[td]0.0.0.0[/td]
[td]3306[/td]
[/tr]

OK, I try to reach http://phpmyadmin… And it works! Connection to MySQL server is permitted! And I see only first entry in log…

WTF?! ??? :frowning: :-TD

P.S. Also I use NOD32 Antivirus, it configured to scan HTTP traffic. But I see no ekrn.exe or opera.exe reports in log. Also there are no entries about these applications in Applications Rules section… Where they are?

Thank you for any help.

So, how to forbid TCP access to local servers at :80 and :3306 from external networks? Nobody knows?

With CIS, if you’re running a local server, such as Apache or MySQL etc, and you connect via localhost (127.0.0.1) you won’t require any rules, unless you’re also allowing IPv6. Basically, CIS doesn’t filter requests of this type. On the other hand, if you’re connecting remotely, you will need inbound rules for the server service.

As far as NOD, if the Web filter used is anything like that used by Avast 7, then you should read Comodo Firewall and Avast 7